How lax is this?!

[Belmit]

I heard today about the news that someone had been shot at Loughborough university (where I graduated from in 2004) at a gig in the union. Looks like everyone involved is going to be OK though.

For the first time in months, maybe years, I went to the university's website and had a look around, with the false hope that they might have mentioned the incident somewhere. I was pleased to see it's still as disorganised as it ever was, and eventually found my way to the IT department pages since it was my old department. For a laugh I thought I'd try my login details on the webmail, knowing full well the account had been rescinded after graduation and hadn't worked after that.

Lo and behold, it logged me in to someone else's email account.

This can only mean one of two things; either they just emptied the documents and email before passing the account on to someone else, or they created a new account with the same username and generated the exact same password along with it. Usernames are created using the first two letters of the department followed by your initials. In this case it made 'cocdb' - computing followed by my three initials (also my old username). The password I tried was the one they gave me on day one - a mixture of six random letters and numbers. I can only assume they gave the same default password to this new user and he too has not changed it since he started in 2004 (which the emails date back to).

I really don't know what to say or do, the chances of someone joining that department with the same initials as me would be slim, but certainly not impossible, but to recycle the username AND give them the same default password defies belief. The things I could do with that account in terms of damage to the individual person, and the implications for the university, are staggering, especially when you consider that my course and the course this person no doubt does highlights such subjects as IT security.

I'm amazed.

[Haly]

That's very alarming

[Kell_ee001]

That is shocking! Are you going to report it?

[Will]

That is shocking! God that place is really a joke...

I wonder if my login would work....

[Belmit]

Quote:

Originally Posted by Miss Smilie

That is shocking! Are you going to report it?

Don't know. I'm certainly considering it but don't really know who to approach, or if it would even be worth it. There's no love lost between me and the university, especially with my old department, so it's whether I do it for the good of other people it could affect.

[Mark]

Be careful. If they're like that, they're as likely to throw the misuse of computers act at you than thank you for the information. :/

[Belmit]

Another salient point I was considering. It wouldn't surprise me in the slightest. The head of IT security is an ex government agent as well (at least when I was there) and I'm sure he'd like nothing better than to spin it around to an 'ex-student with grudge hacks IT system but is thwarted by victorious university' angle.

[Dr. Z]

Do nothing at all through the university- security is their concern after all, and you can only incriminate yourself because you accessed the system knowing full well you shouldnt have been able to access it.

What I personally would do would be to deliver an "anonymous" email to the students union, speaking as an alumni, expressing your concerns that current university students are at risk.

Of course, donning the shoe on the other foot for a second, if that password WAS generated by a really poor algorithm, the user should have carried out "best practice" in immediately changing that initial password...

[jmc41]

Sounds like Leicester, I'd send him a mail from himself or leave a draft as harib0 said, or do nothing at all.

They're too likely to get all in a fit about it if they find out; though that's kinda a risk if you leave the guy a message :undecided: